-
Notifications
You must be signed in to change notification settings - Fork 392
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ssh-audit flagged some weak hashing algorithm which should be disabled #138
Comments
The bigger question would be when to disable To avoid a common confusion - once I don't think |
This fell of my RADAR... is it something you need do or are these command line switches I can try to disable? |
The others were dropped, |
I'll probably disable it by default in a release next year.
In the interim it can be disabled at build time by putting
#define DROPBEAR_RSA_SHA1 0
in localoptions.h
…On 2022-11-07 6:09 pm, cirdecH wrote:
Hello @mkj [1], to summarize this issue. To have the ssh-rsa warning from ssh-audit removed, we don't have a config to edit. We should wait for a future release ?
--
Reply to this email directly, view it on GitHub [2], or unsubscribe [3].
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
@mkj - what are your thoughts on the other algorithms called out in the ssh-audit report?
|
I'm not intending to remove |
I used the same trick to disable those successfully. Thanks!
|
ssh-rsa (2048-bit), hmac-sha1, and diffie-hellman-group14-sha1 are weak algorithms. In the case of sha-rsa (2048-bit), a future deprecation notice has been issued.[1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these three until this is made to be the default in the next release of dropbear next year.[2] This PR disables these three at build time until then. 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Build system: x86_64 Build-tested: bcm2711/RPi4B Run-tested: bcm2711/RPi4B Signed-off-by: John Audia <therealgraysky@proton.me>
ssh-rsa (2048-bit), hmac-sha1, and diffie-hellman-group14-sha1 are weak algorithms. In the case of sha-rsa (2048-bit), a future deprecation notice has been issued.[1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these three until this is made to be the default in the next release of dropbear next year.[2] This PR disables these three at build time until then. 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Build system: x86_64 Build-tested: bcm2711/RPi4B Run-tested: bcm2711/RPi4B Signed-off-by: John Audia <therealgraysky@proton.me>
ssh-rsa (2048-bit), hmac-sha1, and diffie-hellman-group14-sha1 are weak algorithms. In the case of sha-rsa (2048-bit), a future deprecation notice has been issued.[1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these three until this is made to be the default in the next release of dropbear next year.[2] This PR disables these three at build time until then. 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Build system: x86_64 Build-tested: bcm2711/RPi4B Run-tested: bcm2711/RPi4B Signed-off-by: John Audia <therealgraysky@proton.me>
ssh-rsa (2048-bit), hmac-sha1, and diffie-hellman-group14-sha1 are weak algorithms. In the case of sha-rsa (2048-bit), a future deprecation notice has been issued.[1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these three until this is made to be the default in the next release of dropbear next year.[2] This PR disables these three at build time until then. 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Build system: x86_64 Build-tested: bcm2711/RPi4B Run-tested: bcm2711/RPi4B Signed-off-by: John Audia <therealgraysky@proton.me>
ssh-rsa (2048-bit), hmac-sha1, and diffie-hellman-group14-sha1 are weak algorithms. In the case of sha-rsa (2048-bit), a future deprecation notice has been issued.[1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these three until this is made to be the default in the next release of dropbear next year.[2] This PR disables these three at build time until then. 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Build system: x86_64 Build-tested: bcm2711/RPi4B Run-tested: bcm2711/RPi4B Signed-off-by: John Audia <therealgraysky@proton.me>
ssh-rsa (2048-bit), hmac-sha1, and diffie-hellman-group14-sha1 are weak algorithms. In the case of sha-rsa (2048-bit), a future deprecation notice has been issued.[1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these three until this is made to be the default in the next release of dropbear next year.[2] This PR disables these three at build time until then. 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Build system: x86_64 Build-tested: bcm2711/RPi4B Run-tested: bcm2711/RPi4B Signed-off-by: John Audia <therealgraysky@proton.me>
ssh-rsa (2048-bit), hmac-sha1, and diffie-hellman-group14-sha1 are weak algorithms. In the case of sha-rsa (2048-bit), a future deprecation notice has been issued.[1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these three until this is made to be the default in the next release of dropbear next year.[2] This PR disables these three at build time until then. 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Build system: x86_64 Build-tested: bcm2711/RPi4B Run-tested: bcm2711/RPi4B Signed-off-by: John Audia <therealgraysky@proton.me>
ssh-rsa (2048-bit), hmac-sha1, and diffie-hellman-group14-sha1 are weak algorithms. In the case of sha-rsa (2048-bit), a future deprecation notice has been issued.[1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these three until this is made to be the default in the next release of dropbear next year.[2] This PR disables these three at build time until then. 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Build system: x86_64 Build-tested: bcm2711/RPi4B Run-tested: bcm2711/RPi4B Signed-off-by: John Audia <therealgraysky@proton.me> Signed-off-by: bitthief <bitthief@protonmail.ch>
ssh-rsa (2048-bit), hmac-sha1, and diffie-hellman-group14-sha1 are weak algorithms. In the case of sha-rsa (2048-bit), a future deprecation notice has been issued.[1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these three until this is made to be the default in the next release of dropbear next year.[2] This PR disables these three at build time until then. 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Build system: x86_64 Build-tested: bcm2711/RPi4B Run-tested: bcm2711/RPi4B Signed-off-by: John Audia <therealgraysky@proton.me> Signed-off-by: bitthief <bitthief@protonmail.ch>
ssh-rsa (2048-bit), hmac-sha1, and diffie-hellman-group14-sha1 are weak algorithms. In the case of sha-rsa (2048-bit), a future deprecation notice has been issued.[1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these three until this is made to be the default in the next release of dropbear next year.[2] This PR disables these three at build time until then. 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Build system: x86_64 Build-tested: bcm2711/RPi4B Run-tested: bcm2711/RPi4B Signed-off-by: John Audia <therealgraysky@proton.me> Signed-off-by: bitthief <bitthief@protonmail.ch>
ssh-rsa (2048-bit), hmac-sha1, and diffie-hellman-group14-sha1 are weak algorithms. In the case of sha-rsa (2048-bit), a future deprecation notice has been issued.[1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these three until this is made to be the default in the next release of dropbear next year.[2] This PR disables these three at build time until then. 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Build system: x86_64 Build-tested: bcm2711/RPi4B Run-tested: bcm2711/RPi4B Signed-off-by: John Audia <therealgraysky@proton.me> Signed-off-by: bitthief <bitthief@protonmail.ch>
ssh-rsa (2048-bit), hmac-sha1, and diffie-hellman-group14-sha1 are weak algorithms. In the case of sha-rsa (2048-bit), a future deprecation notice has been issued.[1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these three until this is made to be the default in the next release of dropbear next year.[2] This PR disables these three at build time until then. 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Build system: x86_64 Build-tested: bcm2711/RPi4B Run-tested: bcm2711/RPi4B Signed-off-by: John Audia <therealgraysky@proton.me> Signed-off-by: bitthief <bitthief@protonmail.ch>
ssh-rsa (2048-bit), hmac-sha1, and diffie-hellman-group14-sha1 are weak algorithms. In the case of sha-rsa (2048-bit), a future deprecation notice has been issued.[1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these three until this is made to be the default in the next release of dropbear next year.[2] This PR disables these three at build time until then. 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Build system: x86_64 Build-tested: bcm2711/RPi4B Run-tested: bcm2711/RPi4B Signed-off-by: John Audia <therealgraysky@proton.me> Signed-off-by: bitthief <bitthief@protonmail.ch>
hmac-sha1 and diffie-hellman-group14-sha1 are weak algorithms. A future deprecation notice of ssh-rsa (2048-bit) has been issued. [1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these two until this is made to be the default in the next release of dropbear next year. [2] 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Signed-off-by: John Audia <therealgraysky@proton.me> Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
ssh-rsa (2048-bit), hmac-sha1, and diffie-hellman-group14-sha1 are weak algorithms. In the case of sha-rsa (2048-bit), a future deprecation notice has been issued.[1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these three until this is made to be the default in the next release of dropbear next year.[2] This PR disables these three at build time until then. 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Build system: x86_64 Build-tested: bcm2711/RPi4B Run-tested: bcm2711/RPi4B Signed-off-by: John Audia <therealgraysky@proton.me> Signed-off-by: bitthief <bitthief@protonmail.ch>
ssh-rsa (2048-bit), hmac-sha1, and diffie-hellman-group14-sha1 are weak algorithms. In the case of sha-rsa (2048-bit), a future deprecation notice has been issued.[1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these three until this is made to be the default in the next release of dropbear next year.[2] This PR disables these three at build time until then. 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Build system: x86_64 Build-tested: bcm2711/RPi4B Run-tested: bcm2711/RPi4B Signed-off-by: John Audia <therealgraysky@proton.me> Signed-off-by: bitthief <bitthief@protonmail.ch>
ssh-rsa (2048-bit), hmac-sha1, and diffie-hellman-group14-sha1 are weak algorithms. In the case of sha-rsa (2048-bit), a future deprecation notice has been issued.[1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these three until this is made to be the default in the next release of dropbear next year.[2] This PR disables these three at build time until then. 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Build system: x86_64 Build-tested: bcm2711/RPi4B Run-tested: bcm2711/RPi4B Signed-off-by: John Audia <therealgraysky@proton.me> Signed-off-by: bitthief <bitthief@protonmail.ch>
ssh-rsa (2048-bit), hmac-sha1, and diffie-hellman-group14-sha1 are weak algorithms. In the case of sha-rsa (2048-bit), a future deprecation notice has been issued.[1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these three until this is made to be the default in the next release of dropbear next year.[2] This PR disables these three at build time until then. 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Build system: x86_64 Build-tested: bcm2711/RPi4B Run-tested: bcm2711/RPi4B Signed-off-by: John Audia <therealgraysky@proton.me> Signed-off-by: bitthief <bitthief@protonmail.ch>
ssh-rsa (2048-bit), hmac-sha1, and diffie-hellman-group14-sha1 are weak algorithms. In the case of sha-rsa (2048-bit), a future deprecation notice has been issued.[1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these three until this is made to be the default in the next release of dropbear next year.[2] This PR disables these three at build time until then. 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Build system: x86_64 Build-tested: bcm2711/RPi4B Run-tested: bcm2711/RPi4B Signed-off-by: John Audia <therealgraysky@proton.me> Signed-off-by: bitthief <bitthief@protonmail.ch>
ssh-rsa (2048-bit), hmac-sha1, and diffie-hellman-group14-sha1 are weak algorithms. In the case of sha-rsa (2048-bit), a future deprecation notice has been issued.[1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these three until this is made to be the default in the next release of dropbear next year.[2] This PR disables these three at build time until then. 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Build system: x86_64 Build-tested: bcm2711/RPi4B Run-tested: bcm2711/RPi4B Signed-off-by: John Audia <therealgraysky@proton.me> Signed-off-by: bitthief <bitthief@protonmail.ch>
ssh-rsa (2048-bit), hmac-sha1, and diffie-hellman-group14-sha1 are weak algorithms. In the case of sha-rsa (2048-bit), a future deprecation notice has been issued.[1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these three until this is made to be the default in the next release of dropbear next year.[2] This PR disables these three at build time until then. 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Build system: x86_64 Build-tested: bcm2711/RPi4B Run-tested: bcm2711/RPi4B Signed-off-by: John Audia <therealgraysky@proton.me> Signed-off-by: bitthief <bitthief@protonmail.ch>
ssh-rsa (2048-bit), hmac-sha1, and diffie-hellman-group14-sha1 are weak algorithms. In the case of sha-rsa (2048-bit), a future deprecation notice has been issued.[1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these three until this is made to be the default in the next release of dropbear next year.[2] This PR disables these three at build time until then. 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Build system: x86_64 Build-tested: bcm2711/RPi4B Run-tested: bcm2711/RPi4B Signed-off-by: John Audia <therealgraysky@proton.me> Signed-off-by: bitthief <bitthief@protonmail.ch>
ssh-rsa (2048-bit), hmac-sha1, and diffie-hellman-group14-sha1 are weak algorithms. In the case of sha-rsa (2048-bit), a future deprecation notice has been issued.[1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these three until this is made to be the default in the next release of dropbear next year.[2] This PR disables these three at build time until then. 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Build system: x86_64 Build-tested: bcm2711/RPi4B Run-tested: bcm2711/RPi4B Signed-off-by: John Audia <therealgraysky@proton.me> Signed-off-by: bitthief <bitthief@protonmail.ch>
ssh-rsa (2048-bit), hmac-sha1, and diffie-hellman-group14-sha1 are weak algorithms. In the case of sha-rsa (2048-bit), a future deprecation notice has been issued.[1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these three until this is made to be the default in the next release of dropbear next year.[2] This PR disables these three at build time until then. 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Build system: x86_64 Build-tested: bcm2711/RPi4B Run-tested: bcm2711/RPi4B Signed-off-by: John Audia <therealgraysky@proton.me> Signed-off-by: bitthief <bitthief@protonmail.ch>
ssh-rsa (2048-bit), hmac-sha1, and diffie-hellman-group14-sha1 are weak algorithms. In the case of sha-rsa (2048-bit), a future deprecation notice has been issued.[1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these three until this is made to be the default in the next release of dropbear next year.[2] This PR disables these three at build time until then. 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Build system: x86_64 Build-tested: bcm2711/RPi4B Run-tested: bcm2711/RPi4B Signed-off-by: John Audia <therealgraysky@proton.me> Signed-off-by: bitthief <bitthief@protonmail.ch>
ssh-rsa (2048-bit), hmac-sha1, and diffie-hellman-group14-sha1 are weak algorithms. In the case of sha-rsa (2048-bit), a future deprecation notice has been issued.[1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these three until this is made to be the default in the next release of dropbear next year.[2] This PR disables these three at build time until then. 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Build system: x86_64 Build-tested: bcm2711/RPi4B Run-tested: bcm2711/RPi4B Signed-off-by: John Audia <therealgraysky@proton.me> Signed-off-by: bitthief <bitthief@protonmail.ch>
ssh-rsa (2048-bit), hmac-sha1, and diffie-hellman-group14-sha1 are weak algorithms. In the case of sha-rsa (2048-bit), a future deprecation notice has been issued.[1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these three until this is made to be the default in the next release of dropbear next year.[2] This PR disables these three at build time until then. 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Build system: x86_64 Build-tested: bcm2711/RPi4B Run-tested: bcm2711/RPi4B Signed-off-by: John Audia <therealgraysky@proton.me> Signed-off-by: bitthief <bitthief@protonmail.ch>
hmac-sha1 and diffie-hellman-group14-sha1 are weak algorithms. A future deprecation notice of ssh-rsa (2048-bit) has been issued. [1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these two until this is made to be the default in the next release of dropbear next year. [2] 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Signed-off-by: John Audia <therealgraysky@proton.me> Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
hmac-sha1 and diffie-hellman-group14-sha1 are weak algorithms. A future deprecation notice of ssh-rsa (2048-bit) has been issued. [1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these two until this is made to be the default in the next release of dropbear next year. [2] 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Signed-off-by: John Audia <therealgraysky@proton.me> Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
hmac-sha1 and diffie-hellman-group14-sha1 are weak algorithms. A future deprecation notice of ssh-rsa (2048-bit) has been issued. [1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these two until this is made to be the default in the next release of dropbear next year. [2] 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Signed-off-by: John Audia <therealgraysky@proton.me> Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
ssh-rsa (2048-bit), hmac-sha1, and diffie-hellman-group14-sha1 are weak algorithms. In the case of sha-rsa (2048-bit), a future deprecation notice has been issued.[1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these three until this is made to be the default in the next release of dropbear next year.[2] This PR disables these three at build time until then. 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Build system: x86_64 Build-tested: bcm2711/RPi4B Run-tested: bcm2711/RPi4B Signed-off-by: John Audia <therealgraysky@proton.me> Signed-off-by: bitthief <bitthief@protonmail.ch>
ssh-rsa (2048-bit), hmac-sha1, and diffie-hellman-group14-sha1 are weak algorithms. In the case of sha-rsa (2048-bit), a future deprecation notice has been issued.[1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these three until this is made to be the default in the next release of dropbear next year.[2] This PR disables these three at build time until then. 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Build system: x86_64 Build-tested: bcm2711/RPi4B Run-tested: bcm2711/RPi4B Signed-off-by: John Audia <therealgraysky@proton.me> Signed-off-by: bitthief <bitthief@protonmail.ch>
hmac-sha1 and diffie-hellman-group14-sha1 are weak algorithms. A future deprecation notice of ssh-rsa (2048-bit) has been issued. [1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these two until this is made to be the default in the next release of dropbear next year. [2] 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Signed-off-by: John Audia <therealgraysky@proton.me> Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
hmac-sha1 and diffie-hellman-group14-sha1 are weak algorithms. A future deprecation notice of ssh-rsa (2048-bit) has been issued. [1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these two until this is made to be the default in the next release of dropbear next year. [2] 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Signed-off-by: John Audia <therealgraysky@proton.me> Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
hmac-sha1 and diffie-hellman-group14-sha1 are weak algorithms. A future deprecation notice of ssh-rsa (2048-bit) has been issued. [1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these two until this is made to be the default in the next release of dropbear next year. [2] 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Signed-off-by: John Audia <therealgraysky@proton.me> Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
Signed-off-by: bitthief <bitthief@protonmail.ch> kernel: add ASN1 encoder module to keys-trusted The ASN1 encoder module is required on kernel 5.15, fixes build issues. Signed-off-by: bitthief <bitthief@protonmail.ch> mac80211: fix parameter reading of tweak for tx bursting when using VHT Reference: https: //github.com/openwrt/pull/10395 Signed-off-by: bitthief <bitthief@protonmail.ch> dnsmasq: honor IPv6 address MAC assign Signed-off-by: bitthief <bitthief@protonmail.ch> dnsmasq: fix resolv.conf for round-robin DNS configuration Reference: https: //github.com/openwrt/pull/10279 Signed-off-by: bitthief <bitthief@protonmail.ch> dropbear: disable three weak kex/mac algorithms ssh-rsa (2048-bit), hmac-sha1, and diffie-hellman-group14-sha1 are weak algorithms. In the case of sha-rsa (2048-bit), a future deprecation notice has been issued.[1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these three until this is made to be the default in the next release of dropbear next year.[2] This PR disables these three at build time until then. 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Build system: x86_64 Build-tested: bcm2711/RPi4B Run-tested: bcm2711/RPi4B Signed-off-by: John Audia <therealgraysky@proton.me> Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: ipq807x: refactor packet steering init Replace a standalone init.d script with a platform implementation as supported by netifd. This avoids a race between netifd and target specific setups. Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: ipq807x: add smp_affinity init script Signed-off-by: bitthief <bitthief@protonmail.ch> generic, qualcommax: config: crypto, ktls, netfilter, misc. Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: config: enable preemptive/RT kernel build Signed-off-by: bitthief <bitthief@protonmail.ch> package: fullconenat Reference: https: //github.com/coolsnowwolf/lede https: //github.com/Chion82/netfilter-full-cone-nat Signed-off-by: bitthief <bitthief@protonmail.ch> kernel: sysctl: update nf_ct settings for fullcone nat Reference: https: //github.com/coolsnowwolf/lede/commit/58692d5c98169249eae7b8cb27b45ce6ecac1d92 Signed-off-by: bitthief <bitthief@protonmail.ch> package: nft-fullcone Add firewall4 and nftables support for fullcone NAT. Reference: https: //github.com/fullcone-nat-nftables/nft-fullcone https: //github.com/fullcone-nat-nftables/openwrt-firewall4-with-fullcone Signed-off-by: bitthief <bitthief@protonmail.ch> firmware: add NSS firmware package Qualcomm NSS offloading requires FW binaries in order to operate, so lets package them from the publicly distributable QUIC repository. So far only IPQ8074 is offered, but repo also hosts IPQ5018 and IPQ6018 NSS FW. Signed-off-by: Robert Marko <robimarko@gmail.com> (cherry picked from commit a17fc42) Signed-off-by: bitthief <bitthief@protonmail.ch> package: kernel: add qca-nss-crypto Add the base Qualcomm driver for EIP197 HW in modern QCA WiSoC-s. Signed-off-by: Robert Marko <robimarko@gmail.com> (cherry picked from commit 90b0290) Signed-off-by: bitthief <bitthief@protonmail.ch> package: kernel: add qca-nss-cfi Add basic version of NSS-CFI registering the EIP197 offloaded algos to the kernel. It still needs to be converted to skcipher for the most interesting algos to work, but hashes work now so lets start with those. Signed-off-by: Robert Marko <robimarko@gmail.com> (cherry picked from commit d3ad6cd) nss-cfi: convert to skcipher Still crashing though. Signed-off-by: Robert Marko <robimarko@gmail.com> (cherry picked from commit 38216af) Signed-off-by: bitthief <bitthief@protonmail.ch> package: kernel: nat46: patches for QCA NSS ECM Signed-off-by: bitthief <bitthief@protonmail.ch> package: kernel: nat46: add kernel 6.1 support Signed-off-by: bitthief <bitthief@protonmail.ch> package: network: iproute2: add NSS QDISC support Signed-off-by: bitthief <bitthief@protonmail.ch> package: kernel: qca-ssdk: fix build with PIE and SSP Signed-off-by: bitthief <bitthief@protonmail.ch> kernel: qca-ssdk: enable parallel building Now that SSDK is being built as a out of tree kmod parallel building finally works, so enable it to cut down the compile time. Signed-off-by: Robert Marko <robimarko@gmail.com> (cherry picked from commit ea66362) Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: dts: add NSS nodes to IPQ807x devices Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: dts: provide label for NSS reserved-memory Provide a label for the NSS reserved-memory node so it can be easily passed to the NSS DRV instead of having to global match by name which is fragile. Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: clk: add missing NSS clocks These clocks are needed by ECM and the other NSS drivers. Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: net: QCA NSS igs support Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: net: QCA NSS qdisc ifb support Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: net: QCA NSS ECM support Add patches required to support NSS ECM offload. Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: net: fix ECM BRK panic in nf_conntrack_ecache It seems WARN_ON_ONCE will generate a BRK instruction on arm64 since kernel 5.15, which leads to a kernel panic when loading the NSS ECM module. Reference: https: //github.com/bitthief/issues/9 Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: net: QCA NSS bridge-mgr support Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: net: QCA NSS DRV qdisc support Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: net: QCA NSS clients qdisc support Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: net: QCA NSS clients L2TP support Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: net: QCA NSS clients PPTP support Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: net: QCA NSS clients iptunnel support Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: net: QCA NSS clients VXLAN support Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: net: QCA NSS clients L2TP offloading support Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: net: QCA NSS clients iptunnel support Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: net: QCA NSS clients tlsmgr support Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: net: QCA MCS support Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: crypto: net: QCA NSS CFI and NSS CRYPTO support Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: net: fix NULL pointer reference in ipv6_output Signed-off-by: bitthief <bitthief@protonmail.ch> kernel: qualcommax: nss: bump 6.1 to 6.1.62 Signed-off-by: bitthief <bitthief@protonmail.ch> hostapd: update to latest HEAD Reference: https: //github.com/openwrt/pull/13911 Signed-off-by: bitthief <bitthief@protonmail.ch> Custom feed core feeds: use forked dimfishr/nss-packages Enable WiFi Disable autobuild Add all Governors mac80211: ath11k: add HACK patch to fix failing sysupgrade Add HACK patch to fix failing sysupgrade on any device that have ath11k wifi card. Due to some BUG, some packet in the tx ring are never "complated" and moved to the tx completion ring. This cause the related idr of the packet to never be freed and num_tx_pending never decreated to 0. This cause the flush function to timeout and sysupgrade to fail as it takes too much time to terminates the process. Workaround this on the driver side instead of adding an hack to the .sh file to make it easier to drop and track in the future. The workaround is quite simple, when tx_flush is called and the function timeouts every ring is put under lock and idr freed of the stuck packets. THIS IS NOT A FIX BUT A WORKAROUND FOR AN ANNOYING PROBLEM. Signed-off-by: Christian Marangi <ansuelsmth@gmail.com> netfilter: optional tcp window check Revert to ath11k-firmware: update to WLAN.HK.2.9.0.1-01385-QCAHKSWPL_SILICONZ-1 Firewall: disable software offloading qualcommax: netdevice: Add IFF_EXT_HW_NO_OFFLOAD qualcommax: uapi: Add IPPROTO_ETHERIP qualcommax: net: Add bond_is_mlo_device qca-nss-dp: update to 12.4 qca-nss-cfi: update to 12.4 qca-nss-crypto: update to 12.4
Using ssh-audit on dropbear 2020.81 gave some recommendations for hardening:
key exchange algorithms to remove
host-key algorithms
message authentication code algorithms
With openssh, these can be toggled in the config, but I understand they need to be removed in the source for dropbear. What do you think about the report below?
The text was updated successfully, but these errors were encountered: